Endpoint malware detection using an event graph

What is claimed is: 1 . A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of: instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment on the endpoint; selecting a set of logical locations from the plurality of logical locations; recording a sequence of events causally relating the number of computing objects at the set of logical locations; creating an event graph based on the sequence of events; evaluating a security state of the endpoint based on the event graph; adjusting the set of logical locations by adding a new logical location, removing an existing logical location, or changing a level of filtering at one of the set of logical locations according to the security state of the endpoint; and remediating the endpoint when the security state is compromised. 2 . A method for malware detection comprising: instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the first endpoint; selecting a first set of logical locations from the plurality of logical locations; recording a sequence of events causally relating the number of computing objects at the first set of logical locations; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph; and remediating the first endpoint when the malware detection rule and the event graph indicate a compromised security state. 3 . The method of claim 2 wherein selecting the first set of logical locations includes selecting a group from the plurality of logical locations based on exposure to an external environment. 4 . The method of claim 2 wherein selecting the first set of logical locations includes selecting a group from the plurality of logical locations based on reputation. 5 . The method of claim 4 further comprising excluding at least one of the plurality of logical locations associated with a known, good process. 6 . The method of claim 2 further comprising selecting a second set of logical locations different from the first set of logical locations in response to an observed event graph for the sequence of events. 7 . The method of claim 2 further comprising adding one or more of the plurality of logical locations to the first set of logical locations in response to a detected increase in security risk. 8 . The method of claim 2 further comprising removing one of the plurality of logical locations from the first set of logical locations in response to a detected decrease in security risk. 9 . The method of claim 2 further comprising filtering one or more of the events in the sequence of events according to reputation. 10 . The method of claim 2 wherein the plurality of logical locations include at least one endpoint separate from the first endpoint. 11 . The method of claim 2 wherein the plurality of logical locations include at least one programming interface to a human interface device. 12 . The method of claim 2 further comprising identifying one of the computing objects as a cause of the compromised security state and remediating the one of the computing objects. 13 . The method of claim 2 further comprising traversing the event graph forward from the cause to identify one or more other ones of the computing objects affected by the cause. 14 . The method of claim 2 wherein the number of causal relationships include a data flow. 15 . The method of claim 2 wherein the number of causal relationships include a control flow. 16 . The method of claim 2 wherein the number of causal relationships include a network flow. 17 . The method of claim 2 wherein the one or more computing objects include one or more types of computing objects selected from a group consisting of a data file, a process, an application, a registry entry, a network address, and a peripheral device. 18 . The method of claim 2 wherein a number of events within the sequence of events are preserved for a predetermined time window, and further wherein the predetermined time window has a different duration for at least two different types of computing objects. 19 . An endpoint comprising: a network interface; a memory; and a processor configured by computer executable code stored in the memory to detect malware by performing the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint, selecting a first set of logical locations from the plurality of logical locations, recording a sequence of events causally relating the number of computing objects at the first set of logical locations, creating an event graph based on the sequence of events, applying a malware detection rule to the event graph, and remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state. 20 . The endpoint of claim 19 , wherein the processor is further configured to adjust the set of logical locations by adding a new logical location, removing an existing logical location, or changing a level of filtering at one of the set of logical locations according to a security state of the endpoint.