Process privilege escalation protection in a computing environment

What is claimed is: 1 . A system, comprising: a processor configured to: detect an unauthorized change in a cached initial token value associated with a process executed on a computing device, wherein the cached initial token value is checked for changes in response to a trigger event in order to detect an unauthorized change to the initial token value or to detect a stealing of the token by another process executed on the computing device, wherein the initial token value is cached in a data store for caching stored process credentials and tracking processed credential changes, and wherein the data store maintains a cache of processes executing on the computing device along with their credentials and process tree; and perform an action based on a policy in response to the unauthorized change in the cached initial token value associated with the process to facilitate detection of a token stealing operation after it is completed but before any privileged user mode operation is is executed in user mode, wherein the policy comprises a whitelisted set of processes, and wherein the performing of the action comprises to compare the process with one or more processes of the whitelisted set of processes to determine whether to perform the action; and a memory coupled to the processor and configured to provide the processor with instructions. 2 . The system of claim 1 , wherein the trigger event includes a new process creation, a thread creation, a registry operation, a file operation, or any combination thereof 3 . The system of claim 1 , wherein the processor is further configured to: detect an attempt to change the cached initial token value associated with the process to a value that is associated with another process executed on the computing device. 4 . The system of claim 1 , wherein the processor is further configured to: detect an attempt to change the cached initial token value associated with the process to a value that is associated with another process executed on the computing device that has kernel privileges. 5 . The system of claim 1 , wherein the processor is further configured to: perform a privilege escalation protection action based on the policy in response to the unauthorized change in the cached initial token value associated with the process, wherein the privilege escalation protection action comprises one or more of the following: killing the process, generating an alert, and/or logging activities associated with the process monitored on the computing device. 6 . The system of claim 1 , wherein the processor is further configured to: kill the process based on the policy in response to the unauthorized change in the cached initial token value associated with the process. 7 . The system of claim 1 , wherein the processor is further configured to: generate an alert based on the policy in response to the unauthorized change in the cached initial token value associated with the process. 8 . The system of claim 1 , wherein the processor is further configured to: generate a user interface for configuring and viewing security events triggered by privilege escalation related activities. 9 . A method, comprising: detecting an unauthorized change in a cached initial token value associated with a process executed on a computing device, wherein the cached initial token value is checked for changes in response to a trigger event in order to detect an unauthorized change to the initial token value or to detect a stealing of the token by another process executed on the computing device, wherein the initial token value is cached in a data store for caching stored process credentials and tracking processed credential changes, and wherein the data store maintains a cache of processes executing on the computing device along with their credentials and process tree; and performing an action based on a policy in response to the unauthorized change in the cached initial token value associated with the process to facilitate detection of a token stealing operation after it is completed but before any privileged user mode operation is executed in user mode, wherein the policy comprises a whitelisted set of processes, and wherein the performing of the action comprises to compare the process with one or more processes of the whitelisted set of processes to determine whether to perform the action. 10 . The method of claim 9 , wherein the trigger event includes a new process creation, a thread creation, a registry operation, a file operation, or any combination thereof. 11 . The method of claim 9 , further comprising detecting an attempt to change the cached initial token value associated with the process to a value that is associated with another process executed on the computing device. 12 . The method of claim 9 , further comprising detecting an attempt to change the cached initial token value associated with the process to a value that is associated with another process executed on the computing device that has kernel privileges. 13 . The method of claim 9 , further comprising performing a privilege escalation protection action based on the policy in response to the unauthorized change in the cached initial token value associated with the process, wherein the privilege escalation protection action comprises one or more of the following: killing the process, generating an alert, and/or logging activities associated with the process monitored on the computing device. 14 . The method of claim 9 , further comprising killing the process based on the policy in response to the unauthorized change in the cached initial token value associated with the process. 15 . The method of claim 9 , further comprising generating an alert based on the policy in response to the unauthorized change in the cached initial token value associated with the process. 16 . The method of claim 9 , further comprising generating a user interface for configuring and viewing security events triggered by privilege escalation related activities. 17 . A computer program product, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for: detecting an unauthorized change in a cached initial token value associated with a process executed on a computing device, wherein the cached initial token value is checked for changes in response to a trigger event in order to detect an unauthorized change to the initial token value or to detect a stealing of the token by another process executed on the computing device, wherein the initial token value is cached in a data store for caching stored process credentials and tracking processed credential changes, and wherein the data store maintains a cache of processes executing on the computing device along with their credentials and process tree; and performing an action based on a policy in response to the unauthorized change in the cached initial token value associated with the process to facilitate detection of a token stealing operation after it is completed but before any privileged user mode operation is executed in user mode, wherein the policy comprises a whitelisted set of processes, and wherein the performing of the action comprises to compare the process with one or more processes of the whitelisted set of processes to determine whether to perform the action. 18 . The computer program product recited in claim 17 , wherein the trigger event includes a new process creation, a thread creation, a registry operation, a file operation, or