Systems and methods for using event-correlation graphs to generate remediation procedures

What is claimed is: 1. A computer-implemented method for using event-correlation graphs to generate remediation procedures, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising: detecting, by the at least one computing device, a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; constructing, by the at least one computing device in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein: the event-correlation graph comprises at least: a first node that represents the first actor; a second node that represents a second actor; and an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor; each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; calculating, by the at least one computing device based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph; determining that the attack score is greater than a predetermined threshold; determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system; using the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system. 2. The method of claim 1 , further comprising recommending the procedure to at least one of: an administrator of the computing system; a user of the computing system. 3. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that security credentials were accessed during the attack; generating a procedure for resetting the security credentials. 4. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that a keylogger was executed on a computing device within the computing system on which security credentials were accessible; generating a procedure for resetting the security credentials. 5. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that a domain controller was infected during the attack; generating a procedure for resetting security credentials managed by the domain controller. 6. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that an actor involved in the attack is external to the computing system; generating a procedure for adding the external actor to a blacklist. 7. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that a benign application was involved in the attack; generating a procedure for improving the security of the benign application. 8. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that a nonessential benign application was involved in the attack; generating a procedure for reducing use of the nonessential benign application. 9. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that a hacking tool was involved in the attack; generating a procedure for removing the hacking tool. 10. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that an actor involved in the attack made modifications to a file system; generating a procedure for undoing the modifications to the file system. 11. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that an actor involved in the attack made modifications to a registry; generating a procedure for undoing the modifications to the registry. 12. The method of claim 1 , wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to determine that unencrypted communications occurred during the attack; notifying an administrator of the unencrypted communications that occurred during the attack. 13. The method of claim 1 , wherein: the attack comprises a phishing attack; using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises: using the event-correlation graph to identify at least one user involved in the phishing attack; performing at least one of: notifying an administrator of the user involved in the phishing attack; generating a procedure for educating the user about phishing attacks. 14. The method of claim 1 , wherein calculating the attack score for the event-correlation graph comprises: calculating a score for each edge within the event-correlation graph based at least in part on a suspiciousness score associated with the suspicious event represented by the edge; summing the scores of each edge within the event-correlation graph. 15. The method of claim 1 , wherein calculating the attack score for the event-correlation graph comprises: calculating a score for each node within the event-correlation graph based at least in part on a suspiciousness score associated with each suspicious event associated with the node; summing the scores of each node within the event-correlation graph. 16. A system for using event-correlation graphs to generate remediation procedures, the system comprising: a detecting module, stored in memory, that detects a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; a constructing module, stored in memory, that: constructs, in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein: the event-correlation graph comprises at least: a first node that represents the first actor; a second node that represents a second actor; and an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor; each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; calculates, ba