Hi Johnny,
There's quite a bit to learn about CSP (now known as Data Center Security or DCS). I would recommend you grab the documentation and dive in!
As far as bandwidth used; the answer is 'it depends'. You have a lot of control over what information is sent to the management console. So much in fact, that the bandwidth used might be as low as zero. Agents are completely able to operate in a 'standalone environment' where there is no communication back to the management server. Conversely, you can configure the agent to report all events. So... it depends on your needs.
For a base detection policy to deploy, consider the out-of-the-box baseline detection policy. There are versions for both Windows and Linux. But, as with the event communication (above), it depends on your needs. The baseline policies are a great place to start. As a rule, I always deploy the out-of-the-box baseline policy and tweak it from there.
To your question on the difference between detection and prevention;
Detection policies will report on events that have happened on covered assets (meaning, those that have the agent installed on them). So that's kind of a reactive mode. CSP (DCS) will react to and report events.
Prevention is more a proactive mode. You can control what processes are allowed to run. If, for example, you prohibit by policy ftp from running on a covered asset, then it will not run. Full stop.
That's an oversimplified explanation. There's so much more. More than what can be described or explained here. I urge you to get the documentation set and learn all you can. If time is tight, contract with a Symantec partner for professional services.
Good luck with your project!
Will