Insight utilized the telemetry data from Symantec’s vast customer base (millions of users). It analyzed files based on their "reputation":
In the 2014 version, SONAR was tuned to detect "ransomware" behaviors, such as the rapid encryption of user files, and "botnet" behaviors, such as unauthorized outbound traffic to Command and Control (C&C) servers. The 2014 update improved SONAR’s false-positive rate by cross-referencing behavioral data with the Insight reputation database, creating a "dual-stage" verification process. symantec internet security 2014