Dual Memory Introspection for Securing Multiple Network Endpoints

What is claimed is: 1 . A client computer system comprising a hardware processor configured to execute a hypervisor, a live introspection engine, and an on-demand introspection engine, wherein: the hypervisor is configured to expose a guest virtual machine (VM) and a security VM distinct from the guest VM, wherein the on-demand introspection engine executes within the security VM, and wherein the live introspection engine executes outside of the guest and security VMs; the live introspection engine is configured, in response to detecting an occurrence of an event within the guest VM, to transmit an indicator of the event to a remote server computer system over a communication network; and the on-demand introspection engine is configured to: in response to the live introspection engine transmitting the indicator of the event to the remote server computer system, receive an analysis request from the remote server computer system, the analysis request indicating a security tool residing in a remote tool repository configured to distribute security tools to a plurality of clients including the client computer system, the security tool comprising software configured to analyze the occurrence of the event, the security tool selected by the remote server computer system according to an event type of the event, in response to receiving the analysis request, identify the security tool according to the analysis request, in response to identifying the security tool, selectively retrieve the security tool from the tool repository, wherein retrieving the security tool comprises connecting to the central tool repository over the communication network, in response to selectively retrieving the security tool, execute the security tool, and in response to executing the security tool, transmit a result of executing the security tool to the remote server computer system. 2 . The client computer system of claim 1 , wherein the remote server computer system is further configured to determine whether the client computer system comprises malicious software according to the result. 3 . The client computer system of claim 1 , wherein the remote server computer system is further configured to detect a malicious intrusion of the client computer system according to the result. 4 . The client computer system of claim 1 , wherein the on-demand introspection engine is further configured to: in response to transmitting the result to the remote server computer system, receive from the remote server computer system an indicator of a mitigation tool residing in the remote tool repository, the mitigation tool comprising software configure to incapacitate malicious software executing on the client computer system; and in response to receiving the indicator of the mitigation tool, retrieve and execute the mitigation tool. 5 . The client computer system of claim 1 , wherein the live introspection engine is further configured to: in response to detecting the occurrence of the event, determine according to an event type of the event whether an event eligibility condition is satisfied; and in response, transmit the indicator of the event to the remote server computer system only when the event eligibility condition is satisfied. 6 . The client computer system of claim 1 , wherein retrieving the security tool from the remote tool repository comprises mounting the remote tool repository onto a file system of the security VM. 7 . The client computer system of claim 1 , wherein the security VM further comprises a network filter and wherein the hypervisor is further configured to route network traffic between the guest VM and a remote party via the network filter. 8 . The client computer system of claim 7 , wherein: the remote server computer system is further configured, in response to determining whether the client computer system comprises malicious software, when the client computer system comprises malicious software, to send a security alert to the client computer system; and the network filter is configured, in response to the client computer system receiving the security alert, to restrict network traffic between the guest VM and the remote party. 9 . The client computer system of claim 1 , wherein the result of executing the security tool comprises a copy of a content of a section of memory used by the guest VM. 10 . The client computer system of claim 1 , wherein the result of executing the security tool comprises a list of software entities executing within the guest VM. 11 . The client computer system of claim 1 , wherein the result of executing the security tool comprises an indicator of a hardware configuration of the client computer system. 12 . The client computer system of claim 1 , wherein: the hypervisor is configured to establish a secure point-to-point communication channel between the remote server computer system and the security VM; and the on-demand introspection engine is configured to receive the analysis request and transmit the result via the secure point-to-point communication channel. 13 . A server computer configured to perform computer security transactions with a plurality of client systems, the server computer system comprising a hardware processor configured to: in response to receiving an event indicator from a client system of the plurality of client systems, the event indicator indicative of an occurrence of an event within a guest virtual machine (VM) executing on the client system, select a security tool residing in a remote tool repository configured to distribute security tools to the plurality of client systems, the security tool comprising software configured to analyze the occurrence of the event, wherein selecting the security tool is performed according to an event type of the event; in response to selecting the security tool, transmit an analysis request to the client system over a communication network, the analysis request comprising an identifier of the security tool; and in response to transmitting the indicator of the security tool, receive from the client system a result of executing the security tool on the client system, wherein the client system is configured to execute a hypervisor, a live introspection engine, and an on-demand introspection engine, wherein: the hypervisor is configured to expose the guest VM and a security VM distinct from the guest VM, wherein the on-demand introspection engine executes within the security VM, and wherein the live introspection engine executes outside of the guest and security VMs, the live introspection engine is configured, in response to detecting the occurrence of the event, to transmit the event indicator to the server computer system, and the on-demand introspection engine is configured to: in response to receiving the analysis request, identify the security tool according to the analysis request, in response to identifying the security tool, selectively retrieve the security tool from the tool repository, wherein retrieving the security tool comprises the client system connecting to the remote tool repository over the communication network, and in response to retrieving the security tool, execute the security tool to produce the result. 14 . The server computer of claim 13 , wherein the hardware processor is further configured to determine whether the client system comprises malicious software according to the result. 15 . The server computer of claim 13 , wherein the hardware processor is further configured to detect a malicious intrusion of the client system according to the result.